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<?xml version="1.0" ?> 
- <AgentProtocol xmlns="http://www.nai.com" 

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xsi:schemaLocation="http://www.nai.com CustomActionsProtocol.xsd"> 

- <ControiData> 

<Version>0x01000001</Version> 
<MinVersion>0x01000001</MinVersion> 
< Com ma nd > Req uestCustomAction </Command > 
<Server>nedlwnts2ke</Server> 
</ControlData> 

- <CustomActions 

id="<AGENT_INSTALLED_DIR>\\CustomActionsLIbrary\\CustActl.dlll"> 

- <Method id="GetRegStringValue"> 

<Parameter id="Key" type="xs:string" 

inout="in"><AGENT_INSTALLED_REGKEY></Parameter> 
<Parameter id="Valuename" type="xs:string" 

inout="in">AgentVersion</Parameter> 
<Parameter id="Result" type="xs:strlng" inout="out" /> 
</Method> 
</CustomActions> 

- < Custom Actions id="{06E0062A-5069-4793-ACED-F80BElBBC4AF>"> 

- <Interface id="{C9ElCC03-S007-412A-8F5D-532C57DF4482>"> 

- < Method id= "ExecuteSilentInstallation"> 

<Parameter id="ProductNaine" type="xs:string" 

inout="in">TestInstallProduct</Parameter> 
<Parameter id="ProductVersion" type="xs:decimar' 

inout="in">0x01000001</Parameter> 
<Parameter id="Location" type="xs:string" 

inout="in">c:\InstallImages</Parameter> 
<Parameter id="Result" type="xs:string" inout="out" /> 
</Method> 
</Interface> 

- <Interface id="{C9ElCC03-8007-412A-8F5D-532C57DF4482>"> 

- < Method id="GetSysteniDirectory"> 

<Parameter id="Dlrectory" type="xs:string" mout="out" /> 
<Parameter id="Resull" type="xs:decimal" inout="out" /> 

</Method> 
</Intetface> 
</CustomActions> 

- <CustomActions id= "{06E0062B-5069-4793-ACED-F80BElBBC4AF> "> 

- <Interface id="{A000CC03-8007-412A-8F5D-532C57DF4482>"> 

- <Method id="TriggerEvent"> 

<Parameter id="EventID" type="xs:declmar' 
inout="in">1000</Parameter> 

<Parameter id="EventDescription" type="xs:decimal" 
inout="in">The event o/oEventlDo/o has been triggered by 9/6 
USERNAME°/o on computer <»/oCOMPUTERNAME*>/o. The % 
FILENAME°/o file is infected with o/oVIRUSNAME°/o. This has 
been detected by engineversion %ENGINEVERSION°/o 
datversion o/oDATVERSION<yo.</Parameter> 

<Parameter id = "COMPUTERNAME" type="xs:string" 
inout="in">sourceconnputer</Parameter> 

<Parameter id="USERNAME" type="xs:string" 
inout="in">sourceuser</Parameter> 

<Parameter id="FILENAME" type="xs:string" ■"""'^ 



inout="in">kernel32.dll</Parameter> \\.C 



<Param€ter id="VIRUSNAME" type="xs:string" 
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inout="in">Nimbda</Parameter> 
<Parameter id="ENGINEVERSION" type="xs:decimal" 

inout="in">0x04005001</Parameter> 
<Parameter icl="DATVERSION" type="xs:decimar' 

inout="in">Ox07003009</Parameter> 
<Parameter id="Result" type="xs:string" inout="out" /> 
</Nlethod> 
</Interface> 
</CustomActions> 
</AgentProtocol> 
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<?xml version="1.0" ?> 
- <AgentProtocol xmlns= "http://www.nai.com" 

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xsi:schemaLocation=" http://www.nai.com CustomActionsProtocoi.xsd"> 

- <ControlData> 

<Version>0x01000001<A^ersion> 
<MinVersion>0x010O0O01</MinVersion> 
<Command>RspondToCustomAction</Command> 
< Server> ned Iwnts2ice</Server> 
</ControlData> 

- <CustomActions 

id="<AGENT_INSTALLED_DIR>\\CustomActionsLibrary\\CustActl.dil"> 

- <Method id="GetRegStringValue"> 

<Parameter id="Resuit" type="xs: string" 
inout="out">5.0.1.10</Parameter> 

</Method> 
y= </CustomActions> 

Q - <CustomActions id="-C06E0062A-5069-4793-ACED-F80BElBBC4AF>"> 

- <Interface id = "{C9ElCC03-8007-412A-8F5D-532C57DF4482}"> 

- <Method id="ExecuteSiientZnstallation"> 

<Parameter id="Resuit" type="xs:string" inout="out">Error: Invalid 
3; Image path specified. </Parameter> 

</Method> 
</Interface> 

L - <Interface id="{C9ElCC03-8007-412A-8F5D-532C57DF4482}"> 

- <Method id="GetSystemDirectory"> 

^ <Parameter id="Dlrectory" type="xs:strfng" 

H inout="out">C:\Wlnnt\System32</Parameter> 

< Parameter id="Result" type="xs:decimai" 
5f inout="out">0</Parameter> 

</Method> 
</Interface> 
</GustomActions> 

- <CustomActions id="-C06E0062B-5069-4793-ACED-F80BElBBC4AF}"> 

- <Interface id="-CA000CC03-8007-412A-8F5D-532C57DF4482}"> 

- <Method id="TriggerEvent"> 

<Parameter id="Result" type="xs:string" inout="out"> Event sent to 
testco m p ute r2 </Pa ra mete r> 
</Method> 
</Interface> 
</CustomActions> 
</AgentProtocol> 




Inventor: NEDBAL, M. et al. 
SN unknown/Sheet 14 of 27 
Atty. Dkt.: 550-322 



Inventor: NEDBAL, M. et al 
unknown/Sheet 15 of 27 
Atty. DM.: 550-322 



0..0O 



J> 550-322 



<?xml version="l,0" ?> 

- <AgentProtocol xmlns="http://www.nai.com" 

xmlns:xsi="http://www.w3.6rg/2001/XMLSchema->instance" 
xsi:schemaLocation="http://www.nai.com CustomActionsProtocoi.xsd 
http://www.nai.com AgentConfiguration.xsd"> 

- <ControlData> 

<Version>0x01000001</Version> 
<MinVersion>0x01000001</MinVersion> 
<Command>RequestCustomAction</Command> 
<Server>nedlwnts2ke</Server> 
</ControlData> 

- <eustomActions id="RegistryMapping.dil''> 

- <Method id="WriteConfig"> 

- <RegistryConfiguration 

id="HKEY_LOCAL_MACHINE\SOFTWARE\McAfee"> 
- <Product id="Alert Manager"> 

<Version>0xO4070000</Version> 
^ <DisplayName>Alert Manager 4.7</DisplayName> 

y - <Language id="0407"> 

<Version>0x01000O02</Version> 
% - <Event id="l"> 

<LONGDESCRIPT>Das ist eine Test-Nachricht von Alert 
#H Manager. </LONGDESCRIPT> 

g <SHORTDESCRIPT>Testing</SHORTDESCRIPT> 
r <Severity>5</Severity> 
PI <Enabled>l</Enabled> 
\i\ </Event> 

</Language> 
v| - <Language id="0409"> 

CI <Version>0x01000002</Version> 
fll - <Event id="l"> 

<LONGDESCRIPT>This is an alert manager test 

messge.</LONGDESCRIPT> 
<SHORTDESCRIPT>Testing</SHORTDESCRIPT> 
<Severity>0</Severity> 
<Enabled>l</Enabled> 
</Event> 
- < Event id="2"> 

<LONGDESCRIPT>Text of event 2.</L0NGDESCRIPT> 
<SHORTDESCRIPT>Testing</SHORTDESCRIPT> 
<Severity> 1</Severjty> 
</Event> 
</Language> 
</Product> 
</Reg istryConfi g u ratio n > 
</Method> 

- <Method id="ReadConfig"> 

<RegistryConfiguration 

id = "HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\*" /> 

</Method> 
</CustomActions> 

- < Custom Actions ld="INIFiieMapping.dll"> 

- <Method id="WriteConfig"> 

- <FileConfiguration ld="C:\Program Files\Aiert \ 

Manager\AMGConfig.ini"> i VCi » 

- <Extensions> 



<amg>AMGConfig</amg> 
<asf>MPEGVideo</asf> 
<wmp>MPEGVideo2</wmp> 
</Extensions> 
</FileConfiguration> 
</Method> 

- <Method id="ReadConflg"> 

<FileConfiguratlon id="C:\Program Files\Alert 
Manager\AMGConfig.ini" /> 
</Method> 
</CustomActions> 
- <CustomActions id="MAPIMapping.dH"> 

- < Method id="WriteConflg"> 

- <DAPIConfiguration id='70=org/OU=TestSite/CN=TestContainer"> 
<BinaryProperty>0123456789ABCDEF00000</BinaryProperty> 
</DAPIConfiguration> 
t; </Method> 
y - <Method id="ReadConfig"> 

% <DAPIConfigu ration id='70=org/OU=TestSite/CN=TestContainer" /> 

fi\ </Method> 

]f </CustomActions> 

m </AgentProtoco!> 

O 
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'<?xml version="1.0" ?> 
- <AMGEvents xmlns="http://www.nai.com" 

xmins:xsi="http://www. w3.org/2001/XMLSchema-instance" 
xsi:schemaLocation="http://www.nai.com AMGEvents.xsd"> 
- <Product id = "Alert Manager"> 

<Version>0x04070000</Version> 
<DisplayName>Alert Manager 4.7</DisplayName> 

- <Language id="0407"> 

<Version>0x01000002</Version> 

- <Event id="l"> 

<LONGDESCRIPT>Das 1st eine Test-Nachricht von Alert 

Manager. </LONGDESCRIPT> 
<SHORTDESCRIPT>Testing</SHORTDESCRIPT> 

< Severity > 5 </Severity> 
<Enabled> 1</Enabled> 

</Event> 
</Language> 

- < Language id="0409"> 

<Version>0x01000002</Version> 

- <Event id="l"> 

<LONGDESCRIPT>This is an alert manager test 

messge.</LONGDESCRIPT> 
<SHORTDESCRIPT>Testing</SHORTDESCRIPT> 
<Severity>0</Severity> 
<Enabled>l</Enabled> 
</Event> 

- <Event id="2"> 

<LOIMGDESCRIPT>Text of event 2.</L0NGDESCRIPT> 
<SHORTDESCRIPT>Testing</SHORTDESCRIPT> 

< Save rity > 1 </Severity > 
</Event> 

- <Event id="3"> 

<LONGDESCRIPT>Text of event 3.</LONGDESCRIPT> 
<SHORTDESCRIPT>Testing</SHORTDESCRIPT> 
<Severity> 1</Severity> 
</Event> 

- <Event id="4"> 

<LONGDESCRIPT>Text of event 4.</L0NGDESCRIPT> 
<SHORTDESCRIPT>Testing</SHORTDESCRIPT> 
<Severity> 1</Severity> 
</Event> 
</Language> 
</Product> 
</AMGEvents> 
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<?xm! version="1.0" encoding="UTF-8" ?> 

<!-- edited with XKL Spy v4.Q.l U (htro : //www. x:ni spy. coti) oy Napalr. 
(Napalir.; — > 
- <xs:schema targetNamespace="http://www.nai.com" 
xmlns="http:// www.nai.com" 

xmlns:xs="http:// www. w3.org/2001/XMLSchema" 
elementFormDefault="qualified"> 

<xs: element name="DisplayName" type="xs:strmg" /> 
<xs:element name="Enabled" type="xs:booIean" /> 

- <xs:complexType name="EventType"> 

- <xs:all> 

<xs:element ref="LONGDESCRIPr' /> 
<xs:element ref="SHORTDESCRIPT" /> 
<xs:element ref= "Severity" /> 
<xs:element ref="Enabled" minOccurs="0" /> 
</xs:all> 

<xs:attribute name="id" type="xs:string" use="required" /> 
</xs:complexType> 

- <xs:complexType name="LanguageType"> 

- <xs:sequence> 

<xs:eiement ref= "Version" /> 
<xs:element name="Event" type="EventType" 
maxOccurs="unbounded" /> 

</xs:sequence> 

<xs:attribute name="id" type="xs:string" use="required" /> 
</xs:complexType> 

- <xs:element name="Product"> 

- <xs:complexType> 

- <xs:sequence> 

<xs:element ref="Version" /> 
<xs:eiement ref="DispIayName" /> 
<xs:element name="Language" type="LanguageType" 
maxOccurs="unbounded" /> 
</xs:sequence> 

<xs:attribute name="id" type="xs:string" use= "required" /> 
</xs : CO m pi exTy pe > 
</xs:element> 

- <xs:element name="AMGEvents"> 

- <xs:complexType> 

- <xs:sequence> 

<xs:element ref="Product" maxOccurs="unbounded" /> 
</xs:sequence> 
</xs:comp!exType> 
</xs:element> 

<xs:element name="LONGDESCRIPT" type="xs:strlng" /> 
<xs:element name="SHORTDESCRIPT" type="xs:strlng" /> 
<xs:eiement name="Severity" type="xs:string" /> 
<xs:element name="Version" type="xs:string" /> 

</xs:schema> 
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